Why does my division of two fields return nothing?

sjcoluccio67 · ‎04-30-2018

I have the following query that is inteded to divide the "stats.hypervisor_cpu_ppm" field by 10000 and then show that value in a table.

   index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=stats.hypervisor_cpu_usage_ppm / 10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

When I run the query, It gives me a table with the host, the values for stats.hypervisor_spu_ppm, and then an empty column for usage. Why is the usage column empty?

aropaltioali · ‎05-07-2020

Hey!

I bumped into this thread and noticed this was not solved.
If you noticed the fields are presented as string (a not,#) and the tonumber fails due to multiple values in the string.

Here's the how I found out the solution:

/opt/splunk/etc/system/local/props.conf

[nutanix_arch]
KV_MODE = none
AUTO_KV_JSON = false
INDEXED_EXTRACTIONS = JSON

https://answers.splunk.com/answers/610585/json-format-duplicate-value-in-field.html

Now the field is an interger and you can eval it with the following command:
|eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Hope this helps! 🙂

rnayshulis · ‎06-13-2018

I am running into a similar issue and have discovered that splunk is extracting the field that I'm dividing incorrectly. I have a field that's something like size=123 in my events, but splunk for some reason grabs user agent string from the events and assigns that to size. So make sure your stats.hypervisor_cpu_usage_ppm field has actual numerical values that you expect. I'm still working on fixing my problem, will update here if fixing field extraction fixed the division problem.

ssadanala1 · ‎04-30-2018

Can you try the below

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=tonumber(stats.hypervisor_cpu_usage_ppm) / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage

Thanks

sjcoluccio67 · ‎04-30-2018

No luck, the usage column is still empty. also putting the quotes around stats.hypervisor_cpu_usage_ppm like this : | table host, 'stats.hypervisor_cpu_usage_ppm causes that column to be empty as well.

ssadanala1 · ‎04-30-2018

Please try this and can let us know whether stats.hypervisor_cpu_usage_ppm has field values populated

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |table stats.hypervisor_cpu_usage_ppm |eval number = 1000 |eval divide = stats.hypervisor_cpu_usage_ppm/number

sjcoluccio67 · ‎04-30-2018

This only returns two columns. The "stats.hypervisor_cpu_usage_ppm" column has its values and then htere is a "divide" column that just has the value 10000. I used you suggestion and tried the following, but it left me with the same problem that I have been having - the "usage" column is empty.

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* |dedup host |eval number = 1000 |eval usage = stats.hypervisor_cpu_usage_ppm/number | table host, stats.hypervisor_cpu_usage_ppm, usage

somesoni2 · ‎04-30-2018

Can you post some sample entries that you see for field stats.hypervisor_cpu_usage_ppm, before division?

sjcoluccio67 · ‎04-30-2018

Here is an example of entries for that field:

stats.hypervisor_cpu_usage_ppm

286690
286690

745400
745400

somesoni2 · ‎04-30-2018

Shot in the dark, try this

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=* | eval usage=replace('stats.hypervisor_cpu_usage_ppm',"\s+","")/10000 | table host, stats.hypervisor_cpu_usage_ppm, usage | dedup host

elliotproebstel · ‎04-30-2018

Is that the value of a single field? Is it a multivalue field?

woodcock · ‎04-30-2018

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage=$stats.hypervisor_cpu_usage_ppm$ / 10000
| table host, $stats.hypervisor_cpu_usage_ppm$, usage

Or this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host
| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000
| table host, 'stats.hypervisor_cpu_usage_ppm', usage

sjcoluccio67 · ‎04-30-2018

Niether of these worked. In fact, they both resulted in the stats.hypervisor_cpu_usage_ppm column being empty as well as the usage column

elliotproebstel · ‎04-30-2018

I believe you need to replace this:

| eval usage=stats.hypervisor_cpu_usage_ppm / 10000

with this:

| eval usage='stats.hypervisor_cpu_usage_ppm' / 10000

Splunk has some quirks about when field names must be wrapped with quotes in order to reference them, and field names with non-alphanumeric characters often trigger those.

sjcoluccio67 · ‎04-30-2018

I have tried this, but I get the same empty column. I tried double quotes as well, but that returned an error becuase Splunk read it as a string being divided by a number.

macadminrohit · ‎04-30-2018

Try this:

index=nutanix sourcetype=nutanix_arch stats.hypervisor_cpu_usage_ppm=*
| dedup host | rename stats.hypervisor_cpu_usage_ppm as USAGEPPM
| eval usage=USAGEPPM/ 10000
| table host,USAGEPPM, usage

basically i have renamed the field stats.hypervisor_cpu_usage_ppm as USAGEPPM

sjcoluccio67 · ‎05-02-2018

This does not work either... I don't know why this is happening, it doesn't make much sense.

Why does my division of two fields return nothing?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor